Based on 2v0-41.20 questions, seems to be Profile. https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/administration/GUID-63262728-CA72-47D2-8E4F-16617B63A9A4.html

For a distributed firewall rule to match traffic based on the domain name of a specific application, the administrator would configure the "profile" field of the rule. Profile - Additional criteria like user, URL category, domain etc The "policy" field in NSX is for assigning security policies to objects, rather than directly defining rule matching logic. So the "profile" field is used to inject domain/URL inspection into the rule match.

In a distributed firewall rule, the policy field is used to define the criteria that must be met for the rule to be applied. This criteria can include the source and destination IP addresses, the port numbers, and the domain name of the application. The other answer choices are incorrect: Profile: The profile field is used to specify the security context profile that should be applied to the rule. Service: The service field is used to specify the port number or protocol that the rule should apply to. Source: The source field is used to specify the source IP address or range of IP addresses that the rule should apply to. Here is an example of a distributed firewall rule that is configured to allow traffic to a specific application based on the domain name

https://docs.vmware.com/en/VMware-NSX/4.0/administration/GUID-654F5332-2978-49F8-BE83-297E5C69C22F.html

I suppose you can properly use FQDN only in the Context Profile field.

Service is correctly...